Dridex Trojan Returns From Summer Vacation

Dridex, one of the most prolific Trojans in recent years, is ramping up its activity once again, after coming to a near stop about two months ago, Proofpoint security researchers reveal.

Earlier this year, the actors behind Dridex started distributing the Locky ransomware. Since June, the Dridex distribution has been very low, at only thousands of messages, although Locky campaigns have been running strong. Most recently, however, researchers observed a spike in Dridex distribution, which would suggest that the Trojan might be getting ready for new massive campaigns.

Compared to the previously seen runs, which amounted to millions of messages, the new infection campaigns are much smaller, at only tens of thousands of messages, Proofpoint reports. The spike in distribution was observed in the beginning of this week and was focused on targeting financial services and manufacturing organizations.

The security company reveals that most of the campaigns observed since June have been targeting Switzerland, and that multiple botnet IDs were associated with such attacks, including Dridex botnet 1124, 144, 1024, 124, and 38923. The United Kingdom, Australia, and France were also targeted in the meantime.

One of the latest campaigns was observed on Aug. 15 and 16 and involved Dridex botnet ID 228, featuring a larger than average message volume. The botnet contained configurations for banking sites in the UK, Australia, France, and the United States, while the email messages used in the run contained Word attachments (DOCM files) with malicious macros.

The use of DOCM files containing malicious macros was associated with recent Locky infection campaigns as well. After using various other methods for distribution over the past several months, Locky recently reverted to using macros again.

Proofpoint researchers reveal that the instance of Dridex observed in this campaign was targeting various back-end payment processing and transfer, Point of Sale (POS), and remote management applications. Dridex was previously seen targeting applications, but its target list has expanded significantly in August, researchers reveal.

A Dridex campaign noticed on August 11, also relying on DOCM attachments for distribution, was downloading and installing botnet ID 144 and was targeting banking sites, including several in Switzerland. Messages and attachments used in this campaign were in German, one of the primary languages used in Switzerland.

In mid-July, researchers observed a Dridex campaign that downloaded and installed botnet ID 124. Also relying on malicious Word documents, this campaign too was using subject lines, attachment names, and messages in German, the same as an attack in June that distributed Dridex botnet ID 38923 (which was targeted at numerous banking sites, including some in Switzerland).

In addition to the use of malicious emails, Dridex operators also rely on exploit kits (EKs) for distribution, Proofpoint researchers say. On August 9, Neutrino, currently the most used EK, was observed dropping Dridex botnet ID 1024 in Switzerland and the United Kingdom.

“The recent shift to more targeted distribution and a growing set of capabilities suggest that Dridex may be taking on a new life even as the high-volume campaigns shift to distributing almost exclusively Locky and its associated payloads. While these large campaigns may have saturated many target countries, Dridex actors are still looking to monetize the malware by targeting a smaller number of large organizations, many in financial services,” Proofpoint says.